Cryptography Reference
In-Depth Information
FaultCountermeasures
Protocol
Messager and
Re-keying
Coding-Theoretic
ModularRedundany
Patches
LoopCounters
CRCs
Randomization
Masking
Hardware
Parities
Software
Digestvalues
Embeddings
Hardware
Spacered.
Inverse
Pipelining
Software
Timered.
Inverse
Fig. 5.1
Countermeasures for symmetric key primitives
provide (almost) complete protection for the algorithm. Besides that, more general
building blocks that patch only a specific attack scenario or offer only limited
protection can be used. They are usually applied to repair weaknesses of other coun-
termeasures. Finally, in scenarios where the algorithm is not fixed, the protection can
be implemented at protocol level.
We start our discussion in Sect.
5.2
with the general building blocks and techniques
that are not tailored to a special algorithm. Afterwards, Sect.
5.3
shows how DMR
schemes can be optimized using block cipher-specific properties. We explain the
different approaches for hardware and software implementations. Next, we look at
the second main topic: coding-theoretical countermeasures. Section
5.4
focuses on
possibilities of using error detection codes to protect AES implementations. These
solutions are directly tailored to the algorithm. Finally, we discuss protocol-level
countermeasures, which do not protect the cipher itself, but embed it into a protocol
that makes fault attacks impractical. Section
5.5
presents the different protocol-level
approaches and discusses their strengths and drawbacks. The chapter is concluded
in Sect.
5.6
.
5.2 General Building Blocks to Protect Implementations
In order to protect implementations against fault attacks, several methods, which can
be applied to any algorithm, are available. In the following, we discuss some of these
building blocks.
5.2.1 Protecting Loops
A very powerful method to attack a device is to tamper with the counter of a loop.
An adversary can try to reduce the number of rounds performed during the
computation of a symmetric cipher and apply cryptanalytic methods afterwards to
